Microsoft Exchange Server Zero-Day Vulnerabilities

Microsoft has recently notified users of multiple vulnerabilities for on-premises Exchange Servers that are being exploited by a nation-state affiliated group. These vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019.  Exchange Online is not affected. Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you have or are managing. The first priority being servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).

Microsoft attributes the attacks to a group it calls Hafnium, which it says is a state-sponsored threat actor that operates from China. The attackers used the bugs in on-premise Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Huntress has challenged Microsoft’s claim that Chinese hackers executed “limited and targeted attacks” against on-premises Exchange servers, arguing the scope of compromise is fairly widespread. The Ellicott City, Md.-based managed detection and response (MDR) vendor said roughly 400 of the 2,000 Exchange servers the company has checked are susceptible to the zero-day vulnerabilities being exploited by Chinese hacking group Hafnium, with an additionally 100 servers potentially vulnerable. In addition, Huntress said nearly 200 of its partners’ servers have received malicious web shell payloads.

Patching Exchange Server Vulnerabilities

To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.

• You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release).
• Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
• We also recommend that your security team assess whether or not the vulnerabilities were being exploited by using the Indicators of Compromise we shared here.

What is Microsoft Exchange Server?

Microsoft Exchange Server is a email and calendaring server operating system developed by Microsoft. It’s used primarily by businesses to run email, calendars, contacts, and scheduling. It’s an alternate option to Microsoft’s cloud platform, Microsoft 365. Many larger businesses find that it is cheaper to run their own Exchange Server than pay the monthly costs associated with Microsoft 365. Microsoft Exchange Server’s first iteration was was called Exchange Server 4.0 and was released in 1996. The latest version is Exchange Server 2019 and was released in 2018.

Exchange Patching Assistance

If you need assistance patching these vulnerabilities, please reach out to our network support team. Pennyrile Technologies can also assist keeping your computers and servers updated along with migrating from on-premises Exchange Servers to Exchange Online and Office 365.